Home page logo

snort logo Snort mailing list archives

How to extract part of “content ” and print in “msg” of a Snort Alert
From: Heshan Perera <anthonyheshanperera () gmail com>
Date: Mon, 15 Apr 2013 18:36:10 +0530

I am trying to write a Snort rule that will allow me to print the name of a
file being downloaded via FTP.

The following is the rule I have so far...

alert tcp any any <> any any (content:"RETR:";msg:"A file is being

While this rule works, I can't figure out how to print the name of the file
in the "msg" component of the alert. For example I would want the output of
the alert to be something like...

*"A file is being downloaded. The file name is foo.txt".*

The file name is available in the content of the FTP traffic (RETR: /foo.txt

I just cannot figure out how to extract that content and print it as a part
of the message.

Any help on this would be highly appreciated.
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]